Blogging Tools

Search all "Bits from Bill"

Wednesday, May 31, 2006

WgaTray.exe opens security hole

It’s called Windows Genuine Advantage. I’ve received a couple Emails about the file WgaTray.exe which was part of this weeks Windows Update. Some questioned how this file was able to run on startup but isn’t listed by WinPatrol or other programs as an AutoStartup program.

Well, the answer is simple; this program is part of the Windows Operating system. After Windows starts it looks for this file in the system32 folder and runs it. Unfortunately, there’s a serious problem in with the way how Microsoft has implemented their anti-piracy system. The way Windows handles this file opens up a big security hole that most programs won’t plug. Any malicious program can delete the WgaTray.exe and replace it with its own malware using the same name. Windows does nothing to verify this program before running it the next time you reboot.

You can also find a discussion at Broadband Reports.com http://www.dslreports.com/forum/remark,15963038 The topic of the discussion is more about flaws in Windows piracy then security. If you have your system set for auto-updates the newest version of WgaTray.exe will have been downloaded this week.

4 Comments:

Anonymous said...

Truth: Windows starts WGATray.exe just like any other auto-start program (anti-virus scanners, firewalls, etc).

Reality-check: Without an antivirus program running in the background (most of which DO check for program replacement activity, as do anti-spyware programs), ANY file can be replaced by "some" malicious program.

Protection: run in 'limited-user' mode all the time. Only change yourself to privileged-user when you absolutely HAVE to do so (like when installing programs). A limited user cannot delete executables in the Windows folders, cannot install programs and cannot set things to auto-start. Running as a limited-user will also prevent many other kinds of problems too.

It's not just another auto-start program because it's not even detected by msconfig. That's the root of my complaint.

WgaTray isn't implemented like other Windows system file. When Windows core technology was designed a lot of smart ideas for security were built in. The WGA technology was an after-thought which was probably created at the request of some non-technical higher up.

The threat from WgaTray isn't high-risk because it can only be used if Malware has been introduced on a machine in the first place. If it was I'd be making a lot more noise.

Unfortunately, "I knew I shouldn't have hit that button" infections happens all the time. Most users have good Anti-Malware software which will detect and clean up any infiltrations. If however, the malware replaces WgaTray.exe it won't be detected. And then, if it tries to communicate out to the net, will Windows XP's built in firewall catch it?Non-Microsoft firewalls will catch it but many users will probably give it permission.